Archives for November 2016

The Definitive Guide to Security Intelligence and Analytics

2016/11/17 by admin

My colleague, Steve Piper, and I just finished writing a free ebook: The Definitive Guide to Security Intelligence and Analytics . In this comprehensive ebook, we cover how you can use security intelligence and analytics technologies to greatly improve detection and to stop threats before damage can be done.

The ebook has three main purposes:

To explain how you and your organization can benefit from adopting and using a security intelligence and analytics platform.
To provide advice on what characteristics to look for when you’re evaluating possible solutions.
To give you tips on deploying a platform solution so you can get the most out of it.

In the ebook, you’ll also learn how to understand attacks and threats, improve detection, streamline response processes, select the right solution, and deploy a solution.

Automating Event Discovery through Security Analytics

One of the most important topics covered by the book is using security analytics techniques to automate the discovery of security events, minimizing the need for human involvement.

Most organizations have enormous volumes of security events to review on a continuous basis, and that can’t be done without heavily relying on automation. Automating security analytics helps organizations to detect malicious activity much more quickly so they can stop it and minimize the damage it would otherwise cause.

A security intelligence and analytics platform uses several types of techniques together for threat detection. One technique is for the platform to establish baselines over time for normal activity and then identify significant changes from those baselines.

Another technique is to use threat intelligence feeds from third parties that capture the characteristics of the latest threats attacking other organizations and individuals around the world.

A final example of a threat detection technique is correlating information from several of the organization’s systems and security controls to identify a security event that traverses all of those places.

Downloading the Ebook

Event discovery automation is just one example of a topic the ebook includes. It covers everything from understanding the basics of the cyberattack lifecycle and threat management to streamlining incident management, threat investigation, and threat mitigation processes. It even outlines the four phases of the security intelligence and analytics platform implementation process, providing insights and recommendations for performing each phase.

Thanks to LogRhythm, The Definitive Guide to Security Intelligence and Analytics ebook is available as a PDF for you to download.

Outsider attack, the main cyber threat US companies are not prepared for

2016/11/17 by admin

By Razvan Muresan, Bitdefender - Business Insights

The main cyber threats companies are not prepared for are: outsider attack (43%), data vulnerability (38%), insider sabotage (35%), user errors (35%), and phishing (35%), according to a Bitdefender survey on US IT decision makers.

Outsider attacks and data vulnerability pose a significant risk for all companies and represent the main threats that companies are unprepared to handle, and CIOs are aware that cybercriminals can spend large amounts of time inside organizations without being detected - APTs are often defined as designed to evade detection.

Cyber criminals also use tactics to draw attention away from what they are doing and where they have succeeded, while these cyberattacks impact business decisions, mergers/acquisitions and competitive positions, as recent reports confirmed.

“To limit the risks of insider sabotage and user errors, companies must establish strong policies and protocols and restrict the ways employees use equipment and infrastructure or privileges inside the company network,” Bitdefender’s Bogdan Botezatu, Senior e-Threat Specialist recommends. “The IT department must create policies for proper usage of the equipment, and ensure they are implemented.”

In the past two years, companies witnessed a rise in security incidents and breaches, with a significant increase in documented APT (Advance Persistent Threat) type of attacks targeting top corporations or government entities (such as APT-28). This type of attack is intended to exfiltrate sensitive data over a long period or silently cripple industrial processes. In this context, concerns for security are rising to the top levels, with decisions taken at the board level in most companies. Both IT decision makers and CEOs are concerned about security, not only because of the cost of a breach (unavailable resources and/or money lost), but also because the reputation of their companies is at risk when customer data is lost or exposed to criminals. As real cases have shown, the bigger the media coverage a security breach receives, the greater the complexity of the malware causing it. On top of this, migrating corporate information from traditional data centers to a cloud infrastructure has significantly increased companies’ attackable surface, bringing new threats and more worries to CIO offices regarding the safety of their data.

Read the full white paper here.

Methodology

This survey was conducted in October 2016 by iSense Solutions for Bitdefender on 250 IT security purchase professionals (CIOs/CEOs/ CISOs – 26 percent, IT managers/directors – 56 percent, IT system administrators – 10 percent, IT support specialists – 5 percent, and others), from enterprises with 1,000+ PCs based in the United States of America.

More than half of the organizations surveyed are from the IT hardware and software / electronic and electrical engineering industries, while 24 percent are from manufacturing, 6 percent from transportation, 4 percent are providers of telecommunication services, 4 percent are utility or public services companies, and the rest come from construction, retail, distribution, media or other industries.

Some 62 percent of the organizations surveyed have over 3,000 employees, 14 percent between 2,000 and 2,999, and 24 percent between 1,000 and 1,999.

Regarding IT infrastructure development in the organizations, 39 percent of the companies have 3,000+ computers, 21 percent between 2,000 and 2,999, and 40 percent between 1,000 and 1,999. The average proportion of employees working on computers in the organizations surveyed is 74 percent.

Geographically, a third of the organizations are in the West, 30 percent in the North-East, 28 percent in the South and 11 percent in the Mid-West.

Call centre agents warned about malicious email attachments from potential customers

2016/11/15 by admin

by Howard Solomon - IT World Canada

Contact centre agents should be warned about allowing alleged customers sending them email with attachments after a security vendor discovered a new wave of attacks against three customers including North American hospitality companies, attacks similar to ones from the Eastern European based Carbanak crime group

In a blog posted Monday, Trustwave said it came to that conclusion after investigating incidents.

In one instance an attacker called a customer contact line saying that they were unable to use the online reservation system so wanted to send their information to the agent by email attachment, said the report. The attachment was a malicious Word document that contained an encoded .VBS script capable of stealing system information, desktop screenshots, and to download additional malware. The malware replaced text in a Word document with that of its own, which to the agent looks like a request for information from the hotel for a corporate function.

The malicious VB Script will use macros to search for instances of Microsoft Word running on the system, if found, it will clear the existing text and replace it. “This malware was capable of stealing significant system and network information,” says Trustwave. “It was also used to download several other reconnaissance tools to map out the network.” Downloaded tools have included Nmap, FreeRDP, NCat, NPing, and others.

Beaconing messages are sent out to 179.43.133.34 via standard HTTP GET requests every five minutes, said Trustwave, to let a command and control server know a system has been compromised. “Using this simple methodology allows the beaconing to hide very well within standard corporate network traffic.” However, the report adds, its uniformity of structure also allows analysts to identify it relatively quickly as well.

If not stopped, however, the process downloads malware that executes a new iteration of svchost.exe and injects its malicious code into this running process. This hides the malware within the svchost.exe process. It then searches Kaspersky antivirus processes and terminates them if running on the victim system.

It then downloads kldconfig.exe, kldconfig.plug, and runmem.wi.exe, which Trustwave says are all well-known Carbanak malware tools. Variations of them were used in the banking intrusions in 2015. Additionally, the decrypted code references “anunak_config” which is the encrypted configuration file that it downloads from its control server. The Anunak crime group is generally believed to be synonymous with Carbanak.

“This malware is very multi-functional as it can enable remote desktop, steal local passwords, search user’s email, target IFOBS banking systems (which Carbanak used so effectively in recent banking attacks), or install completely different remote desktop programs, such as VNC or AMMYY … Finally, this malware, like so many others, is designed to target credit card data by scraping memory on Point-of-Sale systems., which is presumably the end goal.”

In short, “the attacker uses social engineering to gain their foothold in the victim network, downloads reconnaissance tools to scan the network and move laterally into the card holder data environment, and then infects systems able to process card transactions.”

“The persistence, professionalism, and pervasiveness of this campaign is at a level rarely seen by Trustwave.” says author Brian Hussey, the company’s director of global incident readiness and response. “The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient.”

Have a question on how to protect yourself - give us a call 866-431-8972.

The pitfalls of IoT devices and how to address them

2016/11/15 by admin

by Luana Pascu - Hot for Security, powered by Bitdefender

Many challenges affect IoT security, and the top issue is that no connected device can be secured 100 percent. What’s worse is that not much has actually improved since Former US Vice President Dick Cheney’s wireless pacemaker was disabled to prevent attempts on his life. That was nine years ago!

Recent DDoS attacks prove that 500,000 devices can be hacked in less than five minutes and turned into botnets, because they haven’t been, or can’t be, updated. Some researchers expect connected devices to reach 50 billion by 2020 while others forecast 20 billion by that date. One thing is clear; the number is growing to four devices per user, at least, and we haven’t seen the worst yet. What will happen when billions of connected devices, with old software, are turned into weapons to attack organizations, cities and even governments?

IoT security is right where we left it nine years ago, although the number of connected devices keeps on soaring. This issue is vital but manufacturers keep ignoring it, while users are as naïve as ever. The only winners in this are hackers, who take advantage of the many opportunities created by the lack of infrastructure to protect IoT and mobile devices. If you are having problems with IoT security check out these Internet of Things services.

We’re going through tremendous online transformation, yet the threats we’re dealing with are “beyond the devices used, as hackers will not only target your devices but all the data stored in the cloud,” Emmanuel Schalit, CEO of Dashlane, a password managing company, said in a panel talk at WebSummit last week about how to protect connected devices.

We already know users are a liability, but they also carry great responsibility. Even high-profile officials come up with the weakest passwords and reuse them for multiple accounts. Remember the Podesta email leak fiasco?

Most likely, password security is not the answer anymore. In fact, we need to get rid of them and find a way to secure IoT without involving humans because “consumers have a short memory on breaches,” said Rami Essaid, co-founder of Distil Networks. Instead of demanding better security, users expect dozens of fancy features which only increase security risks.

“Human authentication is not scalable because you can’t type passwords or download firmware updates every day for each device in your smart home,” explained Essaid.

IoT devices are entry points for hackers, but smart homes are not the only areas posing risks to our privacy and safety. Power grids, medical devices, water mains and smart meters collect critical data in real time and, if abused, the consequences could be crucial for entire city infrastructures. These devices need unique in-built security that stands the test of time, even 10 – 15 years from now, so vulnerabilities can’t turn them into backdoors to the cloud. Upgradeability may solve a problem or two, if properly focused on the future, to ensure security holes are detected as soon as possible instead of a year later, as is the case now.

Although governments have made some effort to come up with measures, chances of having unitary regulations for IoT are small, mostly because governments are at least five years behind when it comes to understanding technology and the industry, added Essaid. As we can’t rely completely on governments and manufacturers to fix this problem in the near future, educating users about the importance of online security is the most important step forward.

LogRhythm’s Security Analytics Platform: Product Overview

2016/11/14 by admin

By Dan Sullivan - TechTarget

Expert Dan Sullivan examines LogRhythm’s Security Analytics Platform, a product that leverages big data analytics and machine learning to help protect enterprises.

LogRhythm’s Security Analytics Platform is one of several security applications that leverage big data technologies to help mitigate the risk of targeted, persistent threats. It is part of an emerging class of big data security analytics products that are designed to capture, integrate, analyze and store at higher rates and volumes than found in earlier generation security information and management products.

LogRhythm Security Analytics covers a range of analytics areas across an enterprise attack surface, such as user behavior and network anomalies. The platform is designed to give enterprises a holistic view of potential threats using risk-based analytics. Enterprise customers have the option of customizing analytics rules of the platform or using preset threat detection and compliance modules. The security analytics platform also offers users the ability to search, collect and correlate forensic data in the event of a security incident or data breach.

How it works

The big data security analytics platform incorporates advanced analytics technologies for correlation and pattern recognition, as well as multidimensional analysis across users and endpoints. The platform uses machine learning for advanced threat detection; specifically, LogRhythm’s artificial intelligence engine offers continuous automated analysis of different types of data to correlate and identify potential threats. The AI engine comes with nearly 1,000 preconfigured correlation rule sets as well as GUI for security managers to create and customize their own rules.

LogRhythm Security Analytics also offers a forensics analytics feature. The forensics analytics tool is powered by Elasticsearch, an open source search engine, and is designed to help security managers search through large amounts of data quickly using contextual criteria and full-text terms.

In addition, the platform takes advantage of the LogRhythm Knowledge Base, which is regularly updated with new intelligence and components for integrating with endpoint devices. For example, the knowledge base includes rules for parsing over 600 different types of logs and specialized modules for privileged user monitoring, user and endpoint anomaly detection and web application defenses.

There is substantial support for compliance reporting within the LogRhythm Security Analytics platform, including HIPAA, PCI DSS, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, FISMA, ISO 27001 and NERC-CIP regulations.

The security analytics platform can work in conjunction with the LogRhythm Security Intelligence Platform, which offers both traditional SIEM capabilities as well as threat intelligence services.

Support, cost and deployment

LogRhythm provides a number of customer support options, the two most popular being Standard Support and the premium-level Platinum Support. The standard tier offers access to the LogRhythm support portal and access to user forums as well as technical phone support. Phone support is available from 7am to 6pm MST in this tier. Platinum Support, meanwhile, offers 24/7 phone and email support in addition to other standard-level support options.

The platform can be deployed as high performance appliances or as a software application in a virtual environment. For pricing information, contact the vendor.

Conclusion

The LogRhythm Security Analytics Platfrom provides a consolidation point for endpoint and network event data. Its machine learning capability is an essential feature for detecting anomalous events as they occur as well as for supporting forensic analysis, while its support for compliance reporting across a number of major regulations will appeal to businesses in regulated industries. Businesses looking to consolidate device and network logging and analysis may find a good fit with LogRhythm Security Analytics platform.